All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

{"myhack58": [{"lastseen": "2016-10-29T18:09:51", "bulletinFamily": "info", "description": "In the past year, the container being at an amazing speed of development, the country also has a large number of Internet companies in the production environment using Docker, which are also million units of the scale. The other day the clouds exposed Swarm configuration problem caused by the security risks, but also to let everyone on Docker security filed a concern, this article mainly from the\u201cDocker's own security\u201d,\u201cDockerImages security\u201dand\u201cDocker using the safety hazard\u201dto talk about Docker security of those things. \n0x01 Docker for their own safety \nNormalized summed up under the CVE on the Docker vulnerability report,results are as follows: \nNumber \nCVE number \nVulnerability version \nVulnerability name \n1 \nCVE-2 0 1 5-3 6 3 0 \n1.6.0 \nDocker Libcontainer security bypass vulnerability \n2 \nCVE-2 0 1 5-3 6 2 7 \n1.6.1 \nLibcontainer and Docker Engine licenses, and access control vulnerability \n3 \nCVE-2 0 1 5-3 6 3 0 \n1.6.1 \nThe Docker Engine security bypass vulnerability \n4 \nCVE-2 0 1 4-9 3 5 8 \n1.3.3 \nThe Docker directory traversal vulnerability \n5 \nCVE-2 0 1 4-9 3 5 7 \n1.3.2 \nDocker licenses, and access control vulnerability \n6 \nCVE-2 0 1 4-6 4 0 8 \n1.3.1 \nDocker licenses, and access control vulnerability \n7 \nCVE-2 0 1 4-5 2 7 7 \n1.3.0 \nDocker and docker-py code injection vulnerability \nAll of the vulnerabilities: https://docs.docker.com/engine/security/non-events/ \nCan be found in Docker there is a problem of the version are in 1. 3 and 1. 6, because the access control and other problems can result from the container get into the host machine permissions. Docker in the 6 month released the latest version 1. 1 2 Version, from 1. 6 to now 1. 1 2 are not broke loopholes in the case, excluding the Oday possible. Based on Docker itself in terms of security can be guaranteed, whether it is the container of the isolation or resource limitations of the container has a very excellent performance, more safety problems on the user, because there is no correct use of a container or a configuration error resulting in the container of the dangerous run. \n0x02 DockerImages security \nThe container environment is based on the container image, once the container image there is a risk then the container security can be greatly reduced. We see the container image is based on Dockerfile layer of the layer stack, as shown below: \n! [](/Article/UploadPic/2016-7/2 0 1 6 7 6 1 1 5 3 1 2 3 1 1. png) \nThe underlying Base mirror references\u201catiger77:1.0\u201d, and the second layer a mirror on top of this add run. sh script to the container directory, and the third layer of the mirror refers to the container the runtime execution run. sh script. The Docker image has its own caching mechanism, building when going layer by layer to be on the check, the underlying mirroring if there is no change, then skip the build using a mirrored Cache to save build time, if it detects a change then start the build action. \nThis is mainly divided into two cases to discuss the container image of security. \nSoftwareVulnerability for mirroring, the software used in the presence of high-risk vulnerabilities \nBadImages exist the back door of the container mirroring \n1. SoftwareVulnerability \nAccording to still just Mirror Images layered, the underlying Base image if you use the software the presence of high-risk vulnerabilities, then all use the Base mirroring the build-out of the mirror there will be problems. We'll give you a chestnuts: \n! [](/Article/UploadPic/2016-7/201676115313984.jpg) \nOn the figure Base mirror to install only the basis of the dependent components,wherein the software abc has high-risk vulnerabilities. According to the Base mirror beat out the need of a mirror, the left mirror is to add the code directory to the vessel, the right to build a compiled gcc in the base image. Then when the Base is mirrored in the abc software the presence of high-risk vulnerabilities, then all the dependencies of the mirror you are there the risk. When this occurs, you need to first fix the Base mirroring the problems in the software, after the completion of the time dependence of the mirror re-build operation. \nAccording to the above, I respectively, from dockerhub and github download part of the mirror for the real test, \nTest vulnerability: Bash vulnerability test code: https://github.com/hannob/bashcheck/blob/master/bashcheck \nTest version: use the official mirror for the test, the version for centos5. 11/6. 6/7. 2 \n! [](/Article/UploadPic/2016-7/201676115313444.jpg) \nThe testing process: \nVersion:5.11 \n! [](/Article/UploadPic/2016-7/201676115313856.jpg) \nVersion:6.6 \n! [](/Article/UploadPic/2016-7/201676115313237.jpg) \nVersion:7.2 \n! [](/Article/UploadPic/2016-7/201676115314433.jpg) \nTest results: from the test results it can be see the official website to download the centos5. 1 1 and centos6. 6 There are the BASH vulnerabilities(CVE-2 0 1 4-6 2 7 7). The View the following CVE record time of 2 0 1 4 year 9 month 9 day, given the official centos6. 6 last update time is 2 0 1 5 year 5 month 4 days and then did not fix the vulnerability. \nCVE report time: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 \nDocker-Centos6. 6 official dockerfile address: https://github.com/CentOS/sig-cloud-instance-images/blob/8911843d9a6cc71aadd81e491f94618aded94f30/docker/Dockerfile \nAlthough the Base mirror has the existence of this vulnerability, but the container used to run the service, the General case is not required to enter the container for operation, and here I demonstrate just a Common Vulnerability, of course there will be Other service vulnerability container image here or give their own recommendations, the company uses the container base image needs its own build, to ensure the Base of the mirror clean and safe, and now there are a lot of small partners began to use alpine mirror a centos also dozens of M-get. \nActually to the side of the container security are in the controllable range, even if the use of the service or application has a problem such that an attacker Upload a webshell, the operation range is also just within the container will not be on the host machine have an impact, then the container is really safe? Not all, the following I will speak of how through the container to get to the host machine permissions. \n2. BadImages \nBadImages not the value of the\u201cbroken mirror\u201dbut that those\u201cmalicious image\u201d, turned under the dark clouds all with a\u201cDocker\u201dand\u201ccontainer\u201dkeywords vulnerability, most of the submitted vulnerabilities through the Swarm is not configured correctly, so through the remote API implementation is not authorized to access, the associated solution can refer to\u201chacker absolutely hack\u201dbefore writing the article http://drops.wooyun.org/papers/15892 in. In all Docker containers find a more interesting, use your own dockerfile to perform bounce the shell got to a public cloud, one machine, let's see the next Chapter of the total of the dockerfile \n\n\n**[1] [[2]](<76632_2.htm>) [next](<76632_2.htm>)**\n", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/76632.htm", "id": "MYHACK58:62201676632", "type": "myhack58", "title": "Docker security of those things-vulnerability warning-the black bar safety net", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-13T01:14:58", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-06-15T00:00:00", "published": "2009-06-15T00:00:00", "id": "1337DAY-ID-5365", "href": "https://0day.today/exploit/description/5365", "type": "zdt", "title": "SugarCRM 5.2.0e Remote Code Execution Vulnerability", "sourceData": "===================================================\r\nSugarCRM 5.2.0e Remote Code Execution Vulnerability\r\n===================================================\r\n\r\n\r\nSugarCRM 5.2.0e Remote Code Execution\r\n\r\n Name Remote Code Execution in SugarCRM\r\n Systems Affected Sugar CRM 5.2.0e and possibly earlier versions\r\n Severity High\r\n Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)\r\n Vendor http://www.sugarcrm.com\r\n Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt\r\n Authors Antonio \"s4tan\" Parata (s4tan AT ush DOT it)\r\n Francesco \"ascii\" Ongaro (ascii AT ush DOT it)\r\n Giovanni \"evilaliv3\" Pellerano (evilaliv3 AT ush DOT it)\r\n Date 20090613\r\n\r\nI. BACKGROUND\r\n\r\n>From the SugarCRM web site: \"Sugar Express is designed for individuals\r\nand small companies. Core CRM features help employees get on the same\r\npage while more complex functionality is stripped away. Sugar Express is\r\nideal for providing a single view of the customer from the initial\r\nmarketing campaign through the sales cycle and on to customer support.\r\nWith Sugar Express, companies have a single system of truth for managing\r\ncustomer interactions.\".\r\n\r\nII. DESCRIPTION\r\n\r\nA Remote Code Execution Vulnerability exists in SugarCRM software.\r\n\r\nIII. ANALYSIS\r\n\r\nSummary:\r\n\r\nA Remote Code Execution issue has been found in SugarCRM version\r\n5.2.0e. In order to exploit this vulnerability an account on the system\r\nis required.\r\n\r\nThe vulnerability resides in the \"Compose Email\" section. The software\r\npermits sending email with attachments (if not disabled by the\r\nadministrator). When the name of the file is specified, a validation\r\nroutine is called:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nfunction safeAttachmentName($filename) {\r\n\tglobal $sugar_config;\r\n\t$badExtension = false;\r\n\t//get position of last \".\" in file name\r\n\t$file_ext_beg = strrpos($filename, \".\");\r\n\t$file_ext = \"\";\r\n\t//get file extension\r\n\tif($file_ext_beg > 0) {\r\n\t\t$file_ext = substr($filename, $file_ext_beg + 1);\r\n\t}\r\n\t//check to see if this is a file with extension located in \"badext\"\r\n\tforeach($sugar_config['upload_badext'] as $badExt) {\r\n\t if(strtolower($file_ext) == strtolower($badExt)) {\r\n\t //if found, then append with .txt and break out of lookup\r\n\t $filename = $filename . \".txt\";\r\n\t $badExtension = true;\r\n\t break; // no need to look for more\r\n\t } // if\r\n\t} // foreach\r\n\treturn $badExtension;\r\n}\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nThis routine checks if the extension of the filename is blacklisted,\r\nif so the \".txt\" extension is appended to the filename. However there is\r\na coding error: the function assumes that the filename (extension\r\nexcluded) is at least one char long, this assumption is derived from the\r\nstatement:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nif($file_ext_beg > 0)\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nOf course this is a bad assumption, if we set the whole filename to\r\n\".php\" than the check is skipped and a void extension is assumed.\r\nBecause void extensions are not in the blacklist, no futher extension\r\nis added to the filename. After this check a file is created on the\r\nfilesystem in the form \"<id><filename>\".\r\n\r\nWhere \"id\" is an alphanumeric string. With the trick illustrated we are\r\nable to create a file with \".php\" extension. To do this upload a new\r\nfile attachment and set the filename to \".php\".\r\n\r\nAfter this the attacker has to find the name of the file that was\r\nuploaded in the attachment list files. To obtaint the real filename\r\nlook in the HTML response for a string like:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\n<input value=\"6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php\" name=\"email_atta\r\nchment0\" id=\"email_attachment10\" type=\"hidden\">\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nThe real filename in this case is \"6e25aba0-9dc4-2a57-8bae-4a1317b35d47.\r\nphp\". Now the attacker has to find the directory where the file resides.\r\n\r\nAgain searching the HTML page for the attribute \"assigned_user_id\"\r\nreveals the needed information:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\n<a href=\"index.php?module=Emails&action=ListView&assigned_user_id=abf7c7\r\n7b-2f71-8071-63ba-4a131068e9a2&type=archived\">\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nAt this point the attacker has all the informations to invoke the\r\nuploaded file.\r\n\r\nFilename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php\r\nAssigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2\r\n\r\nTo directly request it issue a request to:\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nhttp://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13\r\n1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nAs final note: if the user is \"administrator\", \"assigned_user_id\" is\r\nalways \"1\".\r\n\r\nIV. DETECTION\r\n\r\nSugarCRM 5.2.0e and possibly earlier versions are vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nUpgrade to latest version 5.2.0f\r\n\r\nVI. VENDOR RESPONSE\r\n\r\n\"We have fixed the issue and will be shipping the patch on June 12th.\r\nWe will be doing a full pass of quality assurance in this area to\r\nensure that no other issues crop up around file uploads.\r\nThe fix involves modifying the code that handles uploads for email\r\nattachments to save the files using just a GUID rather than the original\r\nfile name. This is similar to how uploads are handled else where in the\r\napplication and should prevent the code from being executable on the\r\nserver side.\"\r\n\r\nVII. CVE INFORMATION\r\n\r\nNo CVE at this time.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n20090519 Bug discovered\r\n20090528 First vendor contact\r\n20090528 Vendor Response\r\n20090530 Vendor Confirm the vulnerability\r\n20090602 Vendor propose a possible fix and path release\r\n20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed)\r\n20090613 Advisory released\r\n\r\nIX. CREDIT\r\n\r\nAntonio \"s4tan\" Parata, Francesco \"ascii\" Ongaro and Giovanni\r\n\"evilaliv3\" Pellerano are credited with the discovery of this\r\nvulnerability.\r\n\r\nAntonio \"s4tan\" Parata\r\nweb site: http://www.ush.it/\r\nmail: s4tan AT ush DOT it\r\n\r\nFrancesco \"ascii\" Ongaro\r\nweb site: http://www.ush.it/\r\nmail: ascii AT ush DOT it\r\n\r\nGiovanni \"evilaliv3\" Pellerano\r\nweb site: http://www.ush.it/, http://www.evilaliv3.org/\r\nmail: evilaliv3 AT ush DOT it\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2009 Francesco \"ascii\" Ongaro\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without mine express\r\nwritten consent. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease email me for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n\r\n\r\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5365"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\nSummary\r\n\r\nThe vendor &#40;Telestream&#41; provides the following description of the software:\r\n\r\n Flip4Mac\u2122 WMV is a collection of QuickTime components that allow you to play, import, and export Windows Media video and audio files on your Mac using your favorite QuickTime-based applications. \r\n\r\nWMV files use the Advanced Systems Format &#40;ASF&#41; container format, originally supported for Macintosh systems via Microsoft&#39;s &quot;Windows Media Player for Mac&quot;. Since Microsoft decided to stop development of it&#39;s Mac-port of WM Player, Flip4Mac became the &#39;endorsed&#39;, somehow official solution.\r\n\r\nIt fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.\r\n\r\nASF_File_Properties_Object:\r\n8CABDCA1-A947-11CF-8EE4-00C00C205365 71494647607722088 112 --| GUID\r\n0x70: A1 DC AB 8C 47 A9 CF 11 8E E4 00 C0 0C 20 53 65 ----/\r\n0x80: 68 00 00 FF 00 00 00 00 63 79 0C 20 28 50 D5 11 [size at 0x80]\r\n \r\n\r\nSee the &#39;Debugging information&#39; section for further details.\r\nAffected versions\r\n\r\nVerified with QuickTime\u2122 Player Version 7.1.3 and Windows Media \u00ae Components for Quicktime Version 2.1.0.33, on Mac OS X 10.4.8 &#40;8L2127&#41;, x86.\r\nProof of concept, exploit or instructions to reproduce\r\n\r\nThe sample proof of concept provided shows saved eip being overwritten with a bogus address &#40;it&#39;s known to not work on PowerPC, as the conditions are slightly different&#41;.\r\nDebugging information\r\n\r\nThe following debugging information shows Quicktime triggering the issue when opening the provided proof of concept WMV file.\r\n\r\nProgram received signal EXC_BAD_ACCESS, Could not access memory.\r\nReason: KERN_INVALID_ADDRESS at address: 0xff3472b0\r\n0xffff0b08 in ___memcpy &#40;&#41; at /System/..../i386/cpu_capabilities.h:228\r\n228 in /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h\r\n&#40;gdb&#41; back\r\n#0 0xffff0b08 in ___memcpy &#40;&#41; at /System/..../i386/cpu_capabilities.h:228\r\n#1 0xff000050 in ?? &#40;&#41;\r\n#2 0x011ae3ff in MjpgDecompressorComponentDispatch &#40;&#41;\r\n#3 0x011b2504 in MjpgDecompressorComponentDispatch &#40;&#41;\r\n#4 0x011af955 in MjpgDecompressorComponentDispatch &#40;&#41;\r\n#5 0x0101d617 in MmsDataHandlerComponentDispatch &#40;&#41;\r\n#6 0x011b1791 in MjpgDecompressorComponentDispatch &#40;&#41;\r\n#7 0x0100dc82 in AsfMovieImportComponentDispatch &#40;&#41;\r\n#8 0x01013c28 in AsfMovieImportComponentDispatch &#40;&#41;\r\n#9 0x90cccf6e in CallComponentFunctionCommon &#40;&#41;\r\n#10 0x0100b005 in AsfMovieImportComponentDispatch &#40;&#41;\r\n#11 0x90ccca3c in CallComponentDispatch &#40;&#41;\r\n#12 0x94390dc6 in MovieImportDataRef &#40;&#41;\r\n#13 0x0100a45f in dyld_stub_TECGetEncodingList &#40;&#41;\r\n#14 0x90cccf6e in CallComponentFunctionCommon &#40;&#41;\r\n#15 0x0100b005 in AsfMovieImportComponentDispatch &#40;&#41;\r\n#16 0x90ccca3c in CallComponentDispatch &#40;&#41;\r\n#17 0x943b7656 in MovieImportFile &#40;&#41;\r\n#18 0x943b749c in newMovieFromFileFromComponent &#40;&#41;\r\n#19 0x9430678d in getNewMovieFromFileUsingImporters &#40;&#41;\r\n#20 0x94306131 in NewMovieFromFilePriv &#40;&#41;\r\n#21 0x94302778 in NewMovieFromDataRefPriv_priv &#40;&#41;\r\n#22 0x9430145e in NewMovieFromProperties_priv &#40;&#41;\r\n#23 0x95a2e980 in -[QTMovie initWithAttributes:error:] &#40;&#41;\r\n#24 0x95a2cf91 in +[QTMovie movieWithAttributes:error:] &#40;&#41;\r\n#25 0x0000ad3b in -[QTPMovieDocument readFromFile:ofType:] &#40;&#41;\r\n#26 0x0000ac08 in -[QTPMovieDocument initWithContentsOfFile:ofType:isHotPicks:] &#40;&#41;\r\n#27 0x00013153 in -[QTPMovieDocument initWithContentsOfFile:ofType:] &#40;&#41;\r\n#28 0x934fd82b in -[NSDocumentController&#40;NSDeprecated&#41; makeDocumentWithContentsOfFile:ofType:] &#40;&#41;\r\n#29 0x93541c31 in -[NSDocumentController&#40;NSDeprecated&#41; _openDocumentFileAt:display:] &#40;&#41;\r\n#30 0x00012ee9 in -[QTPApplicationDelegate openFiles:openInNewPlayer:] &#40;&#41;\r\n#31 0x00012daf in -[QTPApplicationDelegate application:openFiles:] &#40;&#41;\r\n#32 0x9326ad3b in -[NSApplication _doOpenFile:ok:tryTemp:] &#40;&#41;\r\n#33 0x93268305 in -[NSApplication finishLaunching] &#40;&#41;\r\n#34 0x93267c29 in -[NSApplication run] &#40;&#41;\r\n#35 0x9325bd2f in NSApplicationMain &#40;&#41;\r\n#36 0x0004040a in _start &#40;&#41;\r\n#37 0x00040325 in start &#40;&#41;\r\n\r\n&#40;gdb&#41; x/x $esp\r\n0xbfffe3f0: 0xff000050\r\n \r\n\r\nThe saved eip for the current frame has been overwritten with a bogus address:\r\n\r\n&#40;gdb&#41; i f\r\nStack level 0, frame at 0xbfffe3f8:\r\n eip = 0xffff0b08 in ___memcpy &#40;/System/.../cpu_capabilities.h:228&#41;; saved eip 0xff000050\r\n called by frame at 0xbfffe400\r\n source language unknown.\r\n Arglist at 0xbfffe3f0, args: \r\n Locals at 0xbfffe3f0, Previous frame&#39;s sp is 0xbfffe3f4\r\n Saved registers:\r\n eip at 0xbfffe3f0\r\n&#40;gdb&#41; x/x 0xff000050 \r\n0xff000050: Cannot access memory at address 0xff000050\r\n&#40;gdb&#41; x/10 0xbfffe3f0\r\n0xbfffe3f0: 0xff000050 0xbfffe458 0xbfffe418 0x011ae3ff\r\n0xbfffe400: 0x00347270 0x01836a70 0xff000050 0x90002448\r\n0xbfffe410: 0x00347250 0xbfffe470\r\n\r\n&#40;gdb&#41; DM 0x00347250 40\r\nDisplaying memory from 00347250\r\n 00347250: A8DA 2001 0100 0000 A1DC AB8C 47A9 CF11 .. .........G...\r\n 00347260: 8EE4 00C0 0C20 5365 6800 00FF 0000 0000 ..... Seh.......\r\n 00347270: 0000 0000 0000 0000 ........ \r\n \r\n\r\nThe above stream is actually the content of the WMV file from offset 0x70 to 0x90.\r\nNotes\r\nExploitation conditions\r\n\r\nGiven that we can overwrite saved eip &#40;and thus subvert the execution flow&#41; and provide any payload of our choice by appending it to the WMV file, exploitation for arbitrary code execution is clearly possible. Although, the conditions for PowerPC and x86 are slightly different, and thus the same file won&#39;t work for both architectures &#40;this has nothing to do with payload limitations, as we can use one that will work for both ppc and x86, like nemo&#39;s multi-arch shellcode&#41;.\r\n\r\nA working exploit for this issue might be developed later today and released as soon as it&#39;s been tested and known to be reliable.\r\nWorkaround or temporary solution\r\n\r\nDisable Flip4Mac and/or automated opening of WMV files, and wait for a patch to be released by the vendor &#40;Telestream&#41;.\r\n", "modified": "2007-01-29T00:00:00", "published": "2007-01-29T00:00:00", "id": "SECURITYVULNS:DOC:15892", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15892", "title": "MOAB-27-01-2007: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}